OS X Gatekeeper and Aalto’s watermarking

The new Aalto installer is not code signed to pass Gatekeeper on Lion and Mountain Lion. To install your Aalto download on these systems, please visit Apple’s page here [support.apple.com] and follow the instructions under “How to open an app from a unidentified developer and exempt it from Gatekeeper.” That will get you up and running. For the whole story, read on.

If you bought a licensed copy of Aalto, you have experienced one aspect of it I’m particularly happy with, its watermarking system. Making this software is my livelihood, so I need people to support my work by buying it instead of just using a copy downloaded from somewhere. This is a problem faced by all developers, big and small, and typically, addressed with some kind of copy protection.

I'm not happy with the idea of copy protection for my software because I think copy protected software is broken software. You should be able to move and copy any data on your computer without worrying if it will be usable later, programs and media files included. This is hard enough to accomplish without software publishers deliberately making it harder.

Hardware dongles are probably the worst example of making things harder for the user. I assume the reader is familiar with iLok and the like, and has possibly experienced the nausea at the gig on realizing the dongle is at home in the desk drawer. Thankfully, dongles are on the way out. Any company that uses them is willing to make your life more than a little worse in return for a little more sales, and should be avoided.

A kinder solution is the software challenge/response system. These come in many different forms, and can be very bad, or only a little annoying, depending on implementation. The ones that are just a little annoying will ask you to upload some information to identify your machine, then give you a code that authorizes you to run the software on that machine. Sounds simple, but this can go wrong in quite a few ways:
&#x2022 breaking the software when seemingly unrelated hardware configuration changes
&#x2022 interfering with the operation of debuggers (I'm looking at you, PACE)
&#x2022 not allowing copy/paste of the response code, resulting in manual errors

But these are all minor problems. The overriding problem is that from the user’s perspective such a system has no reason to exist in the first place, and can only make life worse, unless you buy the argument that the company making the software could simply not pay the bills without it in place.

With the release of Aalto, I implemented a watermarking system that works transparently for the user. If you have bought a license to use Aalto, you can log in to the website, and click a link at any time to download the latest version. When you click the link, the server makes a personalized version of the installer with your name and serial number encoded into it. Your registration is inserted into the executable plugin code itself, so when you copy the plugin to use on another computer, it will just work---there's no key file to hunt down and copy, or installation process to do over. I think this was a good solution to the problem of how to encourage buying the software, but without creating any hassles for the user.

Enter Gatekeeper. Gatekeeper is a new feature in Mountain Lion and OS X Lion v10.7.5 that is intended to keep malicious software from running on your computer. It allows us developers to sign our apps, using a certificate that can be traced back to Apple verifying the source of the actual bits being downloaded, and that said bits have not changed since being registered with Apple, a process called code signing.

Code signing, by design, obviously breaks the watermarking process I was so proud of implementing. The watermark is a change to the installer binary, the very thing Gatekeeper regards as malicious. You might think, what if the code signing had some feature that allowed for a watermark, but rejected other changes? Unfortunately this isn't possible for Gatekeeper to do while fulfilling its mission. There's no way to insure that the changed bits aren't going to be executed by the program, and any change in an executable file could be enough to turn a program malicious.

I have no problem with Apple’s strategy... so far. Malicious software is a huge problem for many users, and overall this will make life better for people. Expert users who want more control and know what they are doing can turn Gatekeeper off. If Apple ever decides to make that impossible, it would be a huge blunder in my opinion, but that doesn't mean it won’t happen. So I should have some plan for delivering my software on Mac OS X if it does.

Is there a way I can both watermark and code sign my products? Yes, in theory. It would be possible to do the code signing process on the server, on each watermarked installer before each download. However, porting Apple's tools to my Linux server would be a lot of work I don't have the resources for, work that would need to be redone every time Apple changed any small aspect of their code signing process. I would love to hear about someone who’s currently doing this, because I'd like to have the best of both worlds. But it’s nothing I can take on myself.

The next best thing I can come up with is to move to a key file system. I will try to think of a way to use the website to make this as transparent as possible. People are used to having registration files, so this won’t be a big problem. It will be kind of sad though because, for a while, I had something way more awesome.